**Note – Client tech directors in Dutchess County got a preview of this Tuesday so if you are in that group you may skip the rest of this note and go on to your next e-mail. For the rest of you please read on**
On Tuesday, May 29th, I received an updated alert from US-CERT with some additional data on the Hidden Cobra attacks which is US Homeland Security’s reference to a series of malicious cyber activity traced back to the North Korean government. The alert identified an updated group of IP addresses and indicators of compromise associated with certain types of malware particularly used by the North Korean government. These tools include the use of specific remote access or RAT tools, as well as Server Message Block (SMB) worms.
The core of this notice references 87 specific IP address across 17 countries that have been identified as compromised and involved in attacks associated with this specific malicious activity. While this list of specific IP addresses is provided to us with the notice, the notice warns that infections of other remote hosts via lateral movement to other IP's on or connected to the same network as the identified hosts is possible. Thus, the lP address list should not in any way be considered all inclusive.
The 17 countries where the 87 IP hosts identified as involved are:
· Saudi Arabia
· Sri Lanka
Based upon our review, we felt it was highly unlikely that any ongoing legitimate communication was happening between our K-12 clients and these countries. We did identify that perhaps both India and Brazil could become issues for some tech support calls but this has not yet been proved out. If there was something identified as a problem due to blocking a country, it could be quickly handled by a one-off white list on your IPS or firewall.
Based on the above we are recommending that instead of just simply creating an ACL to block the currently identified 87 IP addresses on the provided list, that you update the GeoBlocking ACLs on all your firewalls (Firepower IPS or FTD units) to add any of the above countries not already on your lists into those GeoBlocking lists.
This action will catch not only those specific 87 identified IP's but most of any other lateral IP's that become infected and begin to participate in the identified attacks. It is our hope that this will prevent you from playing “whack-a-mole” by constantly having to add new IP’s as they are found on related networks to these already infected hosts.
Once implemented technical staff members will need to be attuned for any reports of connections that no longer work or on-demand support sessions that will not start. The Connection Event tables on the Firepower FMC will be the place to go to identify connections that are being denied due to the GeoBlocking rules.
If you have any questions about this recommendation or if you wish to implement this update in your environment and need assistance, as always please contact our office.
For those inclined you can read the full detail about the US-CERT notice here: